Parse CycloneDX SBOMs to URL or Package, as appropriate. #839

mchernicoff · 2025-01-28T14:35:32Z

Currently we parse all CycloneDX SBOMs to a repo URL, regardless of the SBOM's component pURL type. But this is actually doing two steps at once: parsing the target from the pURL and then resolving the target to a git repo URL. Instead, we should treat the pURL like a pURL given as a target, returning a GitHub repo URL, Maven POM file URL, or NPM or PyPI package as appropriate.

Edit: Currently an NPM or PyPI package passed from a CyclconeDX SBOM requires a --ref flag because we do not keep the version information. This fix would make that flag optional when the version is provided in the SBOM's pURL.

The text was updated successfully, but these errors were encountered:

mchernicoff added product: hc Relates to the core "hc" binary type: enhancement New feature or request labels Jan 28, 2025

mchernicoff added this to the 3.11.0 milestone Jan 28, 2025

mchernicoff added this to Hipcheck Dev Roadmap Jan 28, 2025

github-project-automation bot moved this to Todo in Hipcheck Dev Roadmap Jan 28, 2025

j-lanson assigned ninaagrawal Feb 17, 2025

j-lanson added this to Hipcheck Product Roadmap Feb 24, 2025

j-lanson moved this to In Progress in Hipcheck Product Roadmap Feb 24, 2025

alilleybrinker modified the milestones: 3.11.0, 3.12.0 Feb 24, 2025

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Parse CycloneDX SBOMs to URL or Package, as appropriate. #839

Parse CycloneDX SBOMs to URL or Package, as appropriate. #839

mchernicoff commented Jan 28, 2025 •

edited

Loading

Parse CycloneDX SBOMs to URL or Package, as appropriate. #839

Parse CycloneDX SBOMs to URL or Package, as appropriate. #839

Comments

mchernicoff commented Jan 28, 2025 • edited Loading

mchernicoff commented Jan 28, 2025 •

edited

Loading